user auth how safe is this?

deregular

Anyone know if this code is safe to use to base a login user management script on? If not, any suggestions?

<?php

// File Name: auth04.php
// Check to see if $PHP_AUTH_USER already contains info

if (!isset($PHP_AUTH_USER)) {

	// If empty, send header causing dialog box to appear

	header('WWW-Authenticate: Basic realm="My Private Stuff"');
	header('HTTP/1.0 401 Unauthorized');
	exit;

} else if (isset($PHP_AUTH_USER)) {

	// If non-empty, check the database for matches
	// connect to MySQL
            require"config.php";
	mysql_connect("localhost", "$dbuser", "$dbpasswd")

		or die ("Unable to connect to database.");

	// select database on MySQL server

	mysql_select_db("$dbname")
		or die ("Unable to select database.");

	// Formulate the query

	$sql = "SELECT *
            FROM Users
            WHERE Email='$PHP_AUTH_USER' and Password='$PHP_AUTH_PW'";



	// Execute the query and put results in $result

	$result = mysql_query($sql);



	// Get number of rows in $result. 0 if invalid, 1 if valid.

	$num = mysql_numrows($result);
            $bts = mysql_fetch_array($result);

	if ($num != "0") {


             print"You are authenticated!";


	} else {

		header('WWW-Authenticate: Basic realm="My Private Stuff"');
		header('HTTP/1.0 401 Unauthorized');
		echo 'Authorization Required.';
		exit;

	}

}
?>

planetsim

Its as about as safe as the passwords created as they do not look to be encrypted anyway its not that secure use md5() which is a hash.

Secondly use $_SERVER at the moment you are coding with register_globals = on this is not a good coding practice

devinemke

also please note that your script will only work with Apache and PHP running as an Apache module.

deregular

Originally posted by planetsim
Its as about as safe as the passwords created as they do not look to be encrypted anyway its not that secure use md5() which is a hash.

Secondly use $_SERVER at the moment you are coding with register_globals = on this is not a good coding practice

Thanks for the advice guys

Planetsim, You mean like this?

if (!isset(_$SERVER['$PHP_AUTH_USER'])) {

I will be implementing Md5 into it so that passwords are hashed in the database. Would this make it fairly secure?

divinemke wrote:
also please note that your script will only work with Apache and PHP running as an Apache module.

Im unsure what you mean here, what makes it apache specific rather than being able to be used cross platform?

Forgive me for being a bit slow, i only just started using php and mysql last week. Im getting there though, ive written a few successful scripts now, I just have to learn more about how to write cleaner code and more about security.

devinemke

Originally posted by deregular
Im unsure what you mean here, what makes it apache specific rather than being able to be used cross platform?

$SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PW'] will only be set when PHP is running as an Apache module (as opposed to running PHP as a CGI process). If you are only developing this app for use on one server than you know (or control) the configuration, then this may not be important. if you are developing an app that you may distribute to others running a wide variety of servers/configs then you may want to write your own auth routine.

deregular

thanks for the response devinemke, i dont think ill have a problem though, as it is not going to be for distribution,
Im writing an app to take care of my company's backend, employee listings, calculating earnings as employees enter them for each day etc... and will use it to set access levels for editing data.
Ive already implemented the md5 encryption to match hashes instead rather than the raw passwords in the db, also added the user auth script for adding/editing/deleting listings, so it all looks like its starting to come together. Ive also swapped to SERVER, GET, _POST etc...

Thanks for all the advice guys, this forum's taught me more in 2 days, than i have learnt in books in the last month.

MarkR

It won't be safe at all if you send strings into the database without escaping them adequately.

I could use your auth system to do SQL injection, bypassing it, but also potentially damaging stuff.

Mark

deregular

Originally posted by MarkR
It won't be safe at all if you send strings into the database without escaping them adequately.

I could use your auth system to do SQL injection, bypassing it, but also potentially damaging stuff.

Mark

Hi mark,
Could you show me how you would escape strings adequetely based on the above code I posted?
Where would I do the check?
Because this is a company back end, I need it to be at least semi difficult for anyone to damage anything.

Thanks!

MarkR

I'm not willing to spoonfeed, please go and read up on how to prevent sql injection attacks

Mark

deregular

Originally posted by MarkR
I'm not willing to spoonfeed, please go and read up on how to prevent sql injection attacks

Mark

Mark if you're not willing to help, then dont bother posting.

FYI, I will be using a different script than the one i posted above. A simple example of how you would prevent a sql injection of that example script would have given me a large insight into understanding and how to also begin going about editing other scripts to prevent sql injection.

Im not asking to be spoonfed, Im learning, and seeing as many real life examples is usually the best way of learning.
So far Ive learnt much more that way than reading bullsh*t references in manuals, and php books with no examples.

As they say, If you want to learn to speak German, go to Germany!

Most people on here are very very helpful, and very patient with us newbies, and I'm sure all of us are very thankful for that.

Can anybody else show me an example of how you would protect the above script from possible sql injection?

Thanks in advance.
Sorry bout the rant.

planetsim

Ok an SQL injection can look something like this

SELECT * FROM mytable
WHERE username = ''' 
AND password = ''
"

From that an error will occur as there are 3 single quotes, if an error does occur the attacker can do something like this

';SHOW DATABASES

the code in your query will look like so

SELECT * FROM mytable
WHERE username = '';SHOW DATABASES' 
AND password = ''
"

Not protected the user will have a list of all databases on the server under that username, password combination, they can do many things if this is successful such as update a client records password to nothing and enter into that user without requiring a password.

Or more damaging deleting all data in the database.

How to fix this you can use a quite a few things

Firstly make sure magic_quote_gpc is off if not do a search i have placed a function on how to fix that.

From there you can use addslashes(), mysql_escape_string

From there you should probably read up on this link http://www.owasp.org/ at the moment they are fixing there site. But look on it for the top 10 security vunerabilities

deregular

thanks planetsim.
Just from your response and examples, I can see how the script can be comprimised and why. I can now go and research those functions and try to get my head around making things safer.

I understand it all little better now.

Cheers!